Commerce Department Publishes Proposed Rule to Secure Connected Vehicle Supply Chain

Commerce Department Publishes Proposed Rule to Secure Connected Vehicle Supply Chain

September 26, 2024, Covington Alert

On September 26, 2024, the U.S. Department of Commerce's Bureau of Industry and Security ("BIS") published a Notice of Proposed Rulemaking ("NPRM" or "Proposed Rule") that would, if implemented as proposed, prohibit the import of certain hardware related to Vehicle Connectivity Systems ("VCS") from the People's Republic of China ("PRC") and Russia. The Proposed Rule would further prohibit the sale or import of connected vehicles ("CVs") that incorporate certain software related to VCS or Automated Driving Systems ("ADS"). As drafted, the Proposed Rule could have broad-reaching implications for the automotive industry as it will impose a significant new compliance burden on manufacturers and importers and reshape automotive supply chains.

Background

On February 29, 2024, BIS released an advanced notice of proposed rulemaking ("ANPRM") to "investigate the national security risks from connected vehicles that incorporate technology from countries of concern, including China, and consider regulations to address those risks." In the ANPRM, BIS described the national security concerns associated with information and communications technology and services ("ICTS") found in connected vehicles, including the potential exploitation of technology and data by foreign adversaries, and previewed that in light of such risks, BIS was considering regulating an entire class of transactions involving ICTS in connected vehicles. Such regulations would be consistent with authority granted by E.O. 13873 (the "ICTS EO"), which allows the Department of Commerce to not only investigate certain ICTS transactions on a case-by-case basis, but also to categorically prohibit or restrict certain classes of transactions that pose an unacceptable risk to U.S. national security (See Covington alert). The ANPRM was subject to a public comment period, after which BIS further developed and defined the scope of the proposed prohibitions, as reflected in the Proposed Rule.

While the Proposed Rule and accompanying commentary signal that the clear direction of U.S. policy is toward greater regulation of automotive companies and technology for purposes of addressing U.S. national security concerns, principally focused on China, the NPRM also reflects that BIS considered the public comments submitted in response to the ANPRM and sought to develop a more narrow and tailored Proposed Rule than initially contemplated in the ANPRM. In particular, and as detailed below, the Proposed Rule is focused on the hardware and software components that comprise VCS as well as the software that comprises ADS. Other hardware and software components that may be found within a connected vehicle, but not within one of those two systems, will for now fall outside the scope of the contemplated prohibitions. At the same time, the Proposed Rule as drafted could impose a significant burden across companies in the automotive industry ranging from component suppliers to manufacturers and sellers of completed connected vehicles.

Prohibitions and Compliance Requirements

The Proposed Rule would, absent a General or Specific Authorization:

1. prohibit VCS Hardware Importers from knowingly importing into the United States certain hardware for VCS ("VCS Hardware," as further defined below);
2. prohibit connected vehicle manufacturers from knowingly importing into the United States completed connected vehicles incorporating certain software that supports the function of VCS or ADS (VCS and ADS software are collectively referred to as "covered software," as further defined below);
3. prohibit connected vehicle manufacturers from knowingly selling within the United States completed connected vehicles that incorporate certain covered software; and
4. prohibit connected vehicle manufacturers who are owned by, controlled by, or subject to the jurisdiction or direction of the PRC or Russia from knowingly selling in the United States completed connected vehicles that incorporate VCS hardware or covered software.

Prohibitions (1) through (3) would apply when such VCS hardware or covered software is designed, developed, manufactured, or supplied by persons owned by, controlled by, or subject to the jurisdiction or direction of the PRC or Russia. Prohibition (4) would apply regardless of whether the hardware or software was designed, developed, manufactured, or supplied by persons owned by, controlled by, or subject to the jurisdiction or direction of the PRC or Russia.

The prohibitions on the import or sale of connected vehicles that incorporate covered software would take effect for Model Year 2027 (i.e., model year 2027 vehicles), and the prohibitions on the import of VCS hardware would take effect for Model Year 2030 (i.e., model year 2030 vehicles), or January 1, 2029, for hardware not associated with a specific model year.

Key Definitions

• Automated Driving Systems ("ADS") means "hardware and software that, collectively, are capable of performing the entire dynamic driving task for a completed connected vehicle on a sustained basis, regardless of whether it is limited to a specific operational design domain (ODD)."
• Connected Vehicle means a "vehicle driven or drawn by mechanical power and manufactured primarily for use on public streets, roads, and highways, that integrates onboard networked hardware with automotive software systems to communicate via dedicated short-range communication, cellular telecommunications connectivity, satellite communication, or other wireless spectrum connectivity with any other network or device. Vehicles operated only on a rail line are not included in this definition."
• Covered software means "the software-based components, in which there is a foreign interest, executed by the primary processing unit of the respective systems that are part of an item that supports the function of Vehicle Connectivity Systems or Automated Driving Systems at the vehicle level," excluding firmware and open source software.
• Foreign interest means "any interest in property of any nature whatsoever, whether direct or indirect, by a non-U.S. person." According to BIS's explanation of the rule, a foreign interest can include, but is not limited to, "an interest through ownership, intellectual property, contract-e.g., ongoing supply commitments such as maintenance, any license agreement related to the use of intellectual property-profit-sharing or fee arrangement, as well as any other cognizable interest." Moreover, according to BIS, "ADS and VCS software is frequently designed, developed, or supplied by foreign persons, and those persons frequently retain a legally cognizable interest in the underlying software, even after it has been integrated into the connected vehicle. For example, foreign software developers may earn profits from use of their software; retain data access and sharing rights to the software; or have obligations to maintain and update the software."
• Person owned by, controlled by, or subject to the jurisdiction or direction of a foreign adversary means:
  • "Any person, wherever located, who acts as an agent, representative, or employee, or any person who acts in any other capacity at the order, request, or under the direction or control, of a foreign adversary or of a person whose activities are directly or indirectly supervised, directed, controlled, financed, or subsidized in whole or in majority part by a foreign adversary;
  • Any person, wherever located, who is a citizen or resident of a foreign adversary or a country controlled by a foreign adversary, and is not a United States citizen or permanent resident of the United States;
  • Any corporation, partnership, association, or other organization with a principal place of business in, headquartered in, incorporated in, or otherwise organized under the laws of a foreign adversary or a country controlled by a foreign adversary; or
  • Any corporation, partnership, association, or other organization, wherever organized or doing business, that is owned or controlled by a foreign adversary, to include circumstances in which any person identified in paragraphs [1] through [3] possesses the power, direct or indirect, whether or not exercised, through the ownership of a majority or a dominant minority of the total outstanding voting interest in an entity, board representation, proxy voting, a special share, contractual arrangements, formal or informal arrangements to act in concert, or other means, to determine, direct, or decide important matters affecting an entity."
• VCS means "a hardware or software item for a completed connected vehicle that has the function of enabling the transmission, receipt, conversion, or processing of radio frequency communications at a frequency over 450 megahertz."
• VCShardware means "the following software-enabled or programmable components and subcomponents that support the function of Vehicle Connectivity Systems or are part of an item that supports the function of Vehicle Connectivity Systems: microcontroller, microcomputers or modules, systems on a chip, networking or telematics units, cellular modem/modules, Wi-Fi microcontrollers or modules, Bluetooth microcontrollers or modules, satellite navigation systems, satellite communication systems, other wireless communication microcontrollers or modules, and external antennas."

General Authorizations, Specific Authorizations, and Advisory Opinions

The Proposed Rule provides general authorizations to allow certain parties, such as small producers of vehicles, to undertake otherwise prohibited transactions in order to "minimize unanticipated and unnecessary disruption to industry."

Specifically, general authorizations for prohibited transactions will exist under limited circumstances where:

1. total model year production is less than 1000 units;
2. the vehicle will be used solely for display, testing, or research, and will not be used on public roadways; or
3. the vehicle is imported solely for purposes of repair, alteration, or competition off public roads and will be reexported within one year from the time of import.

Additionally, BIS will consider specific authorizations, which, following an application to and approval by BIS, grant VCS hardware importers and connected vehicle manufacturers the ability to engage in otherwise prohibited transactions, including because the associated undue or unacceptable risks have been, or can be, mitigated.

The Proposed Rule also indicates that BIS will establish an advisory opinion process to allow VCS hardware importers and connected vehicle manufacturers to seek guidance from BIS on whether a prospective transaction may be prohibited.

Declarations of Conformity

Parties who import non-prohibited VCS hardware or import or sell vehicles that incorporate non-prohibited covered software will be required to submit "declarations of conformity" to BIS covering all relevant VCS hardware and each group of relevant model year vehicles, to confirm that such VCS hardware is not prohibited or that such vehicles do not incorporate prohibited covered software, as applicable. Declarations of conformity will be required to include relevant hardware bills of materials and software bills of materials and will be required to be submitted annually or whenever there is a material change.

Penalties

Persons who violate, attempt to violate, conspire to violate, or knowingly cause a violation of the rule, once finalized, may be subject to civil and/or criminal penalties under the International Emergency Economic Powers Act ("IEEPA") (50 U.S.C. 1705), depending on the circumstances of the violation. Potential violations of the Proposed Rule (once finalized) that would be subject to penalties include engaging in a prohibited transaction without an applicable general authorization or specific authorization, or failure to abide by the conditions enumerated in a specific authorization. At the time of publishing of the Proposed Rule, the maximum civil penalty for violations of IEEPA is $368,136 per violation and the maximum criminal penalty is $1,000,000. Under the Proposed Rule, should BIS have reason to believe that a violation has occurred and intends to issue a civil monetary penalty, it will inform the alleged violator through a written notice of the intent to impose a penalty ("Pre-Penalty Notice"). Recipients of such notice will have the opportunity to respond in writing and provide additional information to contest the penalty within 30 days for the transmission of the original pre-penalty notice.

Next Steps

If, following consideration of comments received on this proposed rule, BIS issues a final rule to adopt the proposal, that final rule will take effect 60 days after publication in the Federal Register. Comments to the Proposed Rule are due October 28, 2024.

If you have any questions concerning the material discussed in this client alert, please contact the members of our CFIUS practice.

Public link

Please use the above public link if you want to share this noodl on another website.